Reading this article and answering the related questions can count towards your verifiable CPD if you are following the unit route to CPD and the content is relevant to your learning and development needs. One hour of learning equates to one unit of CPD. We suggest you use this as a guide when allocating yourself CPD units.

One of the most important functions in any organisation will be Human Resources (HR, formerly known as Personnel). Even if the majority of an organisation’s operations are automated, people are essential to deciding why, how and when to automate what. Making sure the right people are in the right roles helps the organisation achieve its objectives, and it can’t do so without HR.

We often associate HR with ‘JML’ – the policies and processes that govern staff joining, moving within, and leaving the organisation. Within those three categories are numerous other sub-categories: workforce planning, recruitment, hiring and induction; personal development, well-being, performance management, promotion; resignation, retirement, redundancy, industrial relations, dismissal, or death in service. 

In addition, there is a range of much more sensitive matters that HR must help management address. These include misconduct, grievances and formal complaints of bullying, discrimination, or harassment, as well as allegations of criminal wrongdoing.

It makes sense that if an HR function manages these delicate situations well, it will reduce the financial, reputational and legal risk and organisation faces. Ultimately, however, HR reflects the culture set by the Board – if the Board is indifferent to staff wellbeing and behaviour, then HR will have difficulty persuading senior managers to recruit, retain and promote people with positive values and ethical standards.

Internal auditors must approach any engagement with a thorough understanding of the organisation’s objectives and culture. The ‘tone at the top’, set by the Board, should tell everyone inside and outside the organisation what the culture is – ‘the way we do things around here.’ And this is absolutely within Internal Audit’s remit, as the Chartered Institute of Internal Auditors Code of Practice for Internal Audit makes clear.

Even if the ‘tone at the top’ champions integrity, transparency, and the like, this doesn’t mean it will prevail. The Board may say one thing officially, for the regulators and media, but internally support or ignore poor behaviour. Even if the Board is sincere in its statements, not all regions or departments may comply. Again, Internal Audit must play a key role in observing and reporting this.

An HR audit is an excellent opportunity to see how the function not only communicates, but also behaves in accordance with the organisation’s values. Internal Audit will therefore review not only controls such as policies and processes, but also behaviour, communications, and staff survey results. After all, the documented control may tell one story – people’s everyday actions, another.

Any disconnect between the two will come into sharp relief during conflict. Entrenched disagreements, allegations of misconduct, instances of mistreatment – all these very human situations show whether an organisation’s professed beliefs mean anything in practice.

Whistleblowing or raising concerns procedures are a tool many organisations use, ideally in accordance with the 1998 UK Public Interest Disclosure Act (PIDA) and the UK Corporate Governance Code (2018). Although many senior managers may feel nervous about an anonymous ‘tip line’, it is essential for staff to have a channel through which they can safely report serious concerns – anything from bullying to fraud, or other criminal activity. Moreover, it’s in the organisation’s interest to encourage speaking out, whether openly or via a whistleblowing channel. If something is badly wrong, then staff need to be able to tell managers about it; if managers can’t or won’t listen, staff need a mechanism to alert those who will. Not having speaking-out mechanisms presents serious risks for an organisation – it will miss out on the benefits and opportunities of such ‘early warning systems’. Worse, a lack of confidential channels implies a culture of defensiveness and lack of trust. Few organisations can thrive in such circumstances.

It is for Internal Audit to understand what the procedures are and how confidently staff use them. In some cases, Internal Audit may have a role in the procedures – its independence and objectivity make it an obvious choice. However, depending on the role Internal Audit plays, it may then have to step back from any associated assurance engagements. Once Internal Audit either initially assesses (triages) allegations, or investigates them, it cannot provide independent assurance over the organisation’s whistleblowing framework.

If Internal Audit does stand apart from this control, it can conduct assurance or consultancy engagements. In either case, HR is likely to play a role in the whistleblowing framework, either through helping to establish it, carry out certain tasks within it, or simply communicating to staff its purpose and workings. If Internal Audit observes that HR’s role in whistleblowing doesn’t support objectivity, anonymity, and thoroughness in addressing staff allegations, that is worth pursuing. Is this because HR doesn’t understand the value and purpose of whistleblowing? Does it not understand the controls needed to maintain staff confidence in the mechanism? Or is it because the ‘tone at the top’ proudly broadcasts the existence of a whistleblowing process, yet doesn’t truly support it? These are all questions internal auditors can and must seek to answer.

Of course, staff complaints and grievances do not always come through whistleblowing channels. HR has a major role to play in helping managers respond to problems as varied as dysfunction within teams to poor individual performance. If the problem is managers themselves, then HR must have processes in place to manage the matter fairly, striking the right balance between openness and discretion.

All too often, HR will find itself helping managers to ‘manage out’ individuals or even entire teams. Internal Audit needs to be sure that HR is not applying the same approach in all instances. 

A poorly performing member of staff should not simply be shunted off to another luckless team, for another manager to suffer. Nor is the solution sacking the individual on spurious grounds. 

Organisations may be automating operations and therefore needing fewer staff – is HR helping senior management ‘restructure’ properly? Many HR functions have key skills that can assist in organisational design and development. Or is HR simply doing management’s bidding, processing the paperwork to make people redundant without properly analysis or, where required, consultation? Internal Audit should be alert to situations where redundancy is a fig-leaf for removing poor performers – or whistleblowers.

Sometimes ‘managing out’ is senior management’s preferred option to deal with a difficult member of staff. HR will be called upon to help with the process and must ensure that it is as fair and transparent as possible. If the member of staff is suspected or even known to be a whistleblower, then HR should encourage managers to use great caution. Even if the reason for the member of staff’s departure is completely unrelated to their whistleblowing, most people will assume the person is being punished for speaking out. This can of course lead to serious reputational and possibly financial and legal risks, if the former member of staff goes public.

To manage this risk, many organisations have started using non-disclosure agreements (NDAs) more frequently. This has long been standard practice in companies specialising in technical research and development, where an NDA could prevent a former employee from sharing precious intellectual property with a rival. However, recent cases have shown organisations using NDAs to ‘gag’ former employees who have endured criminal abuse. An audit of HR practices when ‘managing out’ staff should look carefully at when, how and why NDAs are used. Are they genuinely to protect the organisation’s investment in proprietary data? Or are they an abuse of power, designed to protect senior staff members who have engaged in unethical or criminal activity?

If so, what and who is the organisation protecting, and why? And how does this fit with the ‘tone at the top’?

How an organisation responds to credible accusations of harassment, discrimination, assault, and other crimes tells its staff – and the world – what its values are. Does it investigate, discipline and, if necessary, report the culpable party to law enforcement? Does it do this – but only at less senior levels? Or does it sweep everything under the carpet, ‘managing out’ the complaining employee, insisting on an NDA?

If the organisation believes it is protecting its reputation, its brand and ultimately its income through the last two approaches, Internal Audit can identify the problem and warn senior managers of the risks. They may think the approach is sustainable, but Internal Audit should point to the serious and prolonged damage it can cause. Employees know when senior managers protect themselves, not staff. Likely effects include high turnover, absenteeism, cynicism, poor productivity, possibly fraud – and of course management time wasted on repeated complaints about the same people causing the same problems. HR will be involved in or aware of all these consequences.

Ultimately, it’s up to you as internal auditors – which approach do you think best helps an organisation achieve its objectives? Assuming your organisation has a meaningful policy on ethics, and robustly stands behind controls such as a code of conduct, then Internal Audit is uniquely placed to identify how HR helps make ‘tone at the top’ a reality.


John Chesshire, CFIIA

John Chesshire, is the part-time Chief Assurance Officer for the States of Guernsey, leading its internal audit, risk management and wider assurance communities. He is also the Independent Internal Audit Committee Chair at the London Borough of Hillingdon and runs his own internal audit training company, JC Audit Ltd, His recent clients include FTSE listed companies, multinationals, central and local government, law enforcement, professional services firms, CIPFA, NATO, the OECD and the Chartered Institute of Internal Auditors, IIA Hellenic, IIA Latvia and IIA Lithuania. He particularly enjoys leading audit engagements and delivering training on auditing HR and people risk!


Additional Reading: